Metascan® Multi-scanning Technology

Tony BerningProduct Manageraberning@opswat.com

March 2013

AgendaIntroduction to Multi-scanning

The evolving threat landscape

Why multi-scanning?

Metascan

Additional Uses of Metascan

Getting started with Metascan

The Evolving Threat LandscapeFrom hacking for fun to cracking for

profit

The Evolving Threat Landscape

20021998 2006 2012

Virus/Worm EraVirus/Worm Era Spyware and AdwareSpyware and Adware E-Crime E-Crime …… Cyber warfareCyber warfare

2010

Motivation 15 minutes of

fame

Borderline legal ways of making money

Make money fast by exploiting

Stuxnet , DuQu and Flame

Opportunity Improved

connectivity

Increase in users, web traffic & searches.

More time on Facebook, Twitter and YouTube

Easier to find personal details -> used to infiltrate organizations

Methods Quiet Attacks

Primary vectors web & mobile

Phishing attacks

Attacks focused on specific sites

Targeted Attacks

Cyber warfare

The problem:Too much malware, insufficient

detection

Over 130,000 new malicious programs appear every day

“Cyber attacks on America’s critical infrastructure increased 17-fold between 2009 and 2011.”

http://www.csmonitor.com/Commentary/Opinion/2012/0808/Help-wanted-Geek-squads-for-US-cybersecurity

The rapid growth in the amount of malware continues to accelerate

No AV vendor can keep up with the number of new malware variants

The ProblemInsufficient Detection by any one Anti-Malware Product

The SolutionMultiple Anti-Malware Engines

Increase malware zero hour detection rates

Decrease malware detection time after an

outbreak

Increase resiliency to anti-malware engines’

vulnerabilities

Why Use Multiple Anti-Malware Engines?

The SolutionEvery engine misses something

No anti-malware product is perfect but together they have a greater rate of detection due to their unique features

Engine 1Detection Rate:

Engine 2Detection Rate:

100%

Improve Detection Using Multiple Anti-Malware Engines

This graph shows the time between malware outbreak and detection by six anti-malware engines for 75 outbreaks over three months.

No vendor detects every outbreak.

Only by combining six engines in a multi-scanning solution are outbreaks detected quickly.

By adding additional engines, zero hour detection rates increase further.

* Source: av-test.org

Zero hour detection

5 min to 5 days

No detection at 5 days

Multiple Engines Increase Resiliency to Anti-Malware Engine VulnerabilitiesAnti-malware product vulnerabilities from the National Vulnerability

Database

2005 2006 2007 2008 2009 2010 2011 20120

10

20

30

40

50

60

70

Year

Num

ber o

f Vul

nera

biliti

es i

n An

tiviru

s pro

duct

s [CV

Es]

MetascanMulti-scanning solution

What is Metascan?Multi-scanning engine

A server application with a local and network programming interface that allows customers to incorporate multiple anti-malware engine scanning technologies into their security architecture

Supports 0 to 30 anti-malware engines [and growing!]

Simultaneously scans files with all engines

Scan directories, files, archives, buffers, and boot sector

Automatic online definition updates or manual offline

updates

What is Metascan?Multi-scanning engine

Flexible and scalable API driven solution Many programming Interfaces –

C++ Java PHPC#/ASP.NETRESTful (Web API)/HTTPCLI[command line interface]

Analyzes files locally on a single server or remotely accesses files from Windows, Macintosh, or Linux systems

MetascanWho uses Metascan?

Analysts who research threats in binaries CERTs (Computer Emergency Response/Readiness Teams) Government agencies Federal and State Law enforcement agencies Computer forensic analysts

IT security managers who seek to control data flow Files from public facing sharing/upload sites Data moving across internal security domains Detect infected attachments

Independent software vendors seeking to identify threats in their binaries False positives Accidental infections

Metascan Standard packages

Metascan is available in preconfigured packages that include 0-16 embedded engines

Best performance from fully embedded engines

Easy to use – engines update automatically or as a single offline package

MetascanCustom packages

Create your own custom packages

Add engines to any standard package – For example; create Metascan 20 by adding McAfee,

Symantec, Kaspersky and Sophos to the Metascan 16 standard package

Pick and choose from our custom engine list to create your own custom package (currently up to 30 engines)

Additional Uses of Metascan

Metascan Online (www.metascan-online.com)• Online implementation of Metascan with 40+ engines• Upload and Scan files• Lookup by file hash• Web Interface and REST API

Metadefender• Metascan client that examines the content on physical

media such as USB flash drives, CDs and DVDs.• Available as standalone software or as a physical kiosk

Getting Started with Metascan

For more information on Metascan and Metadefender go to: http://www.opswat.com/metascan

For a free 30 day trial of Metascan and Metadefender go to: http://portal.opswat.com

If you would like more information about purchasing Metascan or Metadefender please contact OPSWAT Sales at: sales@opswat.com

If you have feedback or questions about Metascan or Metadefender contact OPSWAT Product Management at: pm@opswat.com